{"api_version":"1","generated_at":"2026-04-22T19:50:46+00:00","cve":"CVE-2022-2881","urls":{"html":"https://cve.report/CVE-2022-2881","api":"https://cve.report/api/cve/CVE-2022-2881.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-2881","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-2881"},"summary":{"title":"CVE-2022-2881","description":"The underlying bug might cause read past end of the buffer and either read memory it should not read, or crash the process.","state":"PUBLIC","assigner":"security-officer@isc.org","published_at":"2022-09-21 11:15:00","updated_at":"2022-11-16 20:12:00"},"problem_types":["CWE-125"],"metrics":[],"references":[{"url":"http://www.openwall.com/lists/oss-security/2022/09/21/3","name":"[oss-security] 20220921 ISC has disclosed six vulnerabilities in BIND (CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38177, CVE-2022-38178)","refsource":"MLIST","tags":[],"title":"oss-security - ISC has disclosed six vulnerabilities in BIND (CVE-2022-2795,\n CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38177, CVE-2022-38178)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://kb.isc.org/docs/cve-2022-2881","name":"https://kb.isc.org/docs/cve-2022-2881","refsource":"CONFIRM","tags":[],"title":"CVE-2022-2881: Buffer overread in statistics channel code","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202210-25","name":"GLSA-202210-25","refsource":"GENTOO","tags":[],"title":"ISC BIND: Multiple Vulnerabilities (GLSA 202210-25) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-2881","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2881","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"2881","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"isc","cpe5":"bind","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-2881","qid":"15139","title":"ISC BIND Buffer Overflow Vulnerability (CVE-2022-2906, CVE-2022-2881)"},{"cve":"CVE-2022-2881","qid":"183327","title":"Debian Security Update for bind9 (CVE-2022-2881)"},{"cve":"CVE-2022-2881","qid":"198945","title":"Ubuntu Security Notification for Bind Vulnerabilities (USN-5626-1)"},{"cve":"CVE-2022-2881","qid":"296084","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 50.126.3 Missing (CPUOCT2022)"},{"cve":"CVE-2022-2881","qid":"502507","title":"Alpine Linux Security Update for bind"},{"cve":"CVE-2022-2881","qid":"502711","title":"Alpine Linux Security Update for bind"},{"cve":"CVE-2022-2881","qid":"710661","title":"Gentoo Linux ISC BIND Multiple Vulnerabilities (GLSA 202210-25)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"DATE_PUBLIC":"2022-09-21T09:39:29.000Z","ID":"CVE-2022-2881","ASSIGNER":"security-officer@isc.org","STATE":"PUBLIC","TITLE":"Buffer overread in statistics channel code"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"BIND9","version":{"version_data":[{"version_name":"Open Source Branch 9.18","version_value":"9.18.0 through versions before 9.18.7"},{"version_name":"Development Branch 9.19","version_value":"9.19.0 through versions before 9.19.5"}]}}]},"vendor_name":"ISC"}]}},"credit":[],"description":{"description_data":[{"lang":"eng","value":"The underlying bug might cause read past end of the buffer and either read memory it should not read, or crash the process."}]},"exploit":[{"lang":"eng","value":"This flaw was discovered in internal testing. We are not aware of any active exploits."}],"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"In BIND 9.18.0 -> 9.18.6 and versions 9.19.0 -> 9.19.4 of the BIND 9.19 development branch, when an HTTP connection was reused to request statistics from the stats channel, the content length of successive responses could grow in size past the end of the allocated buffer."}]}]},"references":{"reference_data":[{"name":"https://kb.isc.org/docs/cve-2022-2881","refsource":"CONFIRM","url":"https://kb.isc.org/docs/cve-2022-2881"},{"refsource":"MLIST","name":"[oss-security] 20220921 ISC has disclosed six vulnerabilities in BIND (CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38177, CVE-2022-38178)","url":"http://www.openwall.com/lists/oss-security/2022/09/21/3"},{"refsource":"GENTOO","name":"GLSA-202210-25","url":"https://security.gentoo.org/glsa/202210-25"}]},"solution":[{"lang":"eng","value":"Upgrade to the patched release most closely related to your current version of BIND: BIND 9.18.7 or BIND 9.19.5."}],"source":{"discovery":"INTERNAL"},"work_around":[{"lang":"eng","value":"Disable the statistics channel."}]},"nvd":{"publishedDate":"2022-09-21 11:15:00","lastModifiedDate":"2022-11-16 20:12:00","problem_types":["CWE-125"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":8.2,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":4.2}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*","versionStartIncluding":"9.18.0","versionEndExcluding":"9.18.7","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:isc:bind:*:*:*:*:-:*:*:*","versionStartIncluding":"9.19.0","versionEndExcluding":"9.19.5","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}